Operationalisation of National Public Key Infrastructure (NPKI) in Kenya – Creating trust in the government’s growing e-services​

Summary

This project is part of the United Kingdom Foreign, Commonwealth & Development Office (FCDO) commitment to build national cyber security capacity and resilience to cybersecurity threats in five middle-income countries. The UK Government’s Digital Access Programme provides support through: Government-to-Government technical assistance; cyber hygiene training; public awareness-raising; and research. It aims to reduce the impact of cyber harms on their governments, economies and citizens – particularly amongst groups vulnerable to online exploitation.

Details

Aim

For KPMG Kenya to

• Support the Kenyan Citizens ICT Authority (ICTA) and the Communications Authority (CA);
• Support the implementation of ICTA’s internal programme of work to improve its security controls around government business;
• Meet the urgent demand for National Public Key Infrastructure (NPKI) related support as indicated by Kenya government departments, ministries, and agencies.

Context

As part of the UK Government’s Digital Access Programme, the context is around providing safe, secure and affordable digital access for underserved populations, reducing poverty and increasing economic prosperity as a result. The focus of this project is on cryptographic controls – the practice of ensuring secure communication – an essential component for any secure cyber government infrastructure to prevent the misuse and threats of communicating in cyber space. Cryptographic techniques are needed to protect data both at rest and in transit, and these techniques should align with international standards and best practices.

In the context of Kenya, the government has sought to create a Public Key Infrastructure (PKI) in line with international best practice to expand its e-services it offers to its citizens. PKI is a system for the creation, storage and distribution of digital certificates and is a key enabler of e-commerce and the governments’ digital economy agenda as it will help increase the security of online transactions being made. During COVID-19 pandemic, the number of online transactions being made by Kenyan citizens and  organisations increased, which increased the risk of security threats and the need to protect the Kenya government and its citizens data.

Outcomes

• ICTA and key stakeholders have increased capacity to implement and operate NPKI as well as the ability to comply with the standards defined by the regulator (Communications Authority).
• Strengthened levels of national cyber security for e-government systems and the Secure Cyber Security Foundation for the country.

Outputs

12 PKI policies, in line with international best practice and endorsed by myriad government cross government stakeholders (including the President’s Office), which set the benchmark for PKI for government and private entities were established.

These include: Policy 1: Information security management policy for Specific GovCA – Policy 2: Access control policy for GovCA – Policy 3: Governing elements of asset classification and management within GovCA – Policy 4: Elements of human resource security within GovCA – Policy 5: Guidelines to ensure that risks associated with Registration Authority are minimised – Policy 6: Provides terms and conditions that govern the contractual relationship between the subscriber and the GovCA – Policy 7: Business Continuity and Disaster Recover controls to ensure NPKI business operations and critical infrastructure are resumed in a timely manner in the event of a disaster or other business interruption – Policy 8: Rules for the protection of information systems from physical and environmental threats to ensure the confidentiality, integrity and availability of GovCA critical infrastructure and resources – Policy 9: System Development, Maintenance and Change Management to ensure that development, maintenance and changes to services and configuration items are documented, approved, and implemented in a planned are controlled manner with minimal disruption to services – Policy 11: Certificate Policy. Enable certificate-based authentication, data integrity and confidentiality in the government administration’s ICT systems, electronic document exchange and in online services – Policy 12: Certification Practice Statement specifies the practices that GovCA employs to issue digital certificates on it’s public key infrastructure (PKI.).

Activities

Three training workshops including in-person training of 45+ ICTA staff designed to develop ICTA’s PKI technical capacity and to secure cross government departmental buy-in, a stakeholder workshop, presenting the PKI to 13 government departments, a session held with the ICTA Board to take them through the final policy drafts, ensuring they were sufficiently comfortable with the policies to sign off on them and develop further learning for other government departments, thereby allowing the PKI to launch.